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Abstract.  Traditional  key  pre-distribution  schemes  in  sensor  and  ad  hoc  networks  rely  on  the  existence  of 
a  trusted  third  party  to  generate  and  distribute  a  key  pool.  The  assumption  of  a  single  TTP  however  can 
be  very  strong  in  practice,  especially  when  nodes  belong  to  different  domains  and  they  come  together  in  an 
ad  hoc  manner.  Other  important  motivations  to  omit  a  TTP  include  preservation  of  privacy  in  a  network 
as  well  as  reducing  the  required  knowledge  base  for  the  usage  of  sensor  networks.  In  this  work,  we  show  the 
shortcomings  of  the  previous  approaches  [3, 13]  in  terms  of  both  efficiency  and  security.  By  incorporating  a 
heterogeneous  network,  we  show  that  we  can  dramatically  reduce  the  load  on  resource  constrained  devices 
while  also  increasing  their  security.  We  also  propose  a  new  strengthened  security  model  for  self-organized 
ad  hoc  networks  and  evaluate  the  security  of  our  protocol  in  this  model.  We  evaluate  the  correctness  of  the 
protocol  and  show  that  we  can  achieve  network  connectivity  with  very  high  probability. 


1  Introduction 

Traditional  ad  hoc  and  sensor  network  settings  generally  assume  a  trusted  third  party  (TTP)  who  is  trusted 
with  the  keying  information  and  enables  secure  delivery  of  keys  to  the  network  principals  and/or  nodes.  Security 
associations,  such  as  authentication  of  nodes  or  securing  communication  channels,  are  then  bootstrapped  using 
this  information.  In  key  pre-distribution  schemes,  the  TTP  allocates  keys  to  each  node  prior  to  deployment  either 
randomly  from  a  key  pool  [8,5],  or  by  using  a  well-defined  combinatorial  structure  such  as  a  t-design  [10]  that 
ensures  the  key  subsets  allocated  to  the  nodes  satisfy  certain  properties. 

However,  the  assumption  of  a  single  TTP  can  be  restrictive  in  scenarios  where  the  network  is  self-organized  and 
formed  without  prior  planning.  In  the  following  we  list  some  of  the  immediate  applications  that  require  distribution 
of  trust. 

1.  In  disaster  response  scenarios  for  example,  a  network  may  be  formed  with  members  belonging  to  different 
administrative  domains.  Furthermore,  it  might  be  impossible  to  access  an  outside  authority  due  to  the  lack  of 
preexisting  infrastructure  or  inability  to  contact  off-site  systems  [12].  In  such  life-threatening  situations,  it  is  not 
acceptable  to  deny  data  from  a  legitimate  principal  that  might  save  someone’s  life.  Therefore  in  such  scenarios,  a 
‘best-effort’  security  model  might  be  appropriate,  making  strong  guarantees  when  a  single  trusted  third  party  can 
be  established  and  making  weaker  guarantees  when  no  TTP  can  be  assumed. 

2.  In  combat  situations  it  is  essential  to  allow  members  of  a  coalition  to  join  and  form  collaborative  groups.  In  such 
dynamic  coalitions  there  is  typically  no  single  TTP  prior  to  or  during  deployment. 

3.  Existence  of  a  TTP  is  in  immediate  conflict  with  privacy  enhancing  applications.  As  sensor  and  ad  hoc  testbeds 
have  been  deployed,  it  has  become  clear  that  user  privacy  can  be  easily  compromised  as  a  side  effect  to  seemingly 
innocuous  applications  [4] .  For  example  a  humidity  sensing  network  can  also  be  used  to  monitor  activity  in  a  room 
as  the  human  body  effectively  alters  the  room  humidity.  Therefore  by  removing  the  presence  of  an  all  knowing 
authority  (i.e.  the  TTP),  communication  can  be  made  private  to  the  restricted  user  set. 

4.  Finally,  to  allow  the  wide  adoption  of  sensor  and  ad  hoc  networks  in  everyday  scenarios,  it  is  desirable  to  reduce 
the  required  knowledge  base  of  network  owners.  Customers  should  be  able  to  purchase  a  set  of  nodes  that  are  usable 
upon  purchase  without  requiring  the  presence  of  a  network  administrator.  Therefore  the  node  manufacturer  can 
install  public  data  in  the  nodes  that  can  bootstrap  future  security  associations. 

*  Research  was  sponsored  by  the  U.S.  Army  Research  Laboratory  and  the  U.K.  Ministry  of  Defence  and  was  accomplished 
under  Agreement  Number  W911NF-06-3-0001.  The  views  and  conclusions  contained  in  this  document  are  those  of  the 
author  and  should  not  be  interpreted  as  representing  the  official  policies,  either  expressed  or  implied,  of  the  U.S.  Army 
Research  Laboratory,  the  U.S.  Government,  the  U.K.  Ministry  of  Defence  or  the  U.K.  Government.  The  U.S.  and  U.K. 
Governments  are  authorized  to  reproduce  and  distribute  reprints  for  Government  purposes  notwithstanding  any  copyright 
notation  hereon. 


In  the  following  we  focus  on  the  problem  of  group  key  distribution  in  self-organized  ad  hoc  and  sensor  networks 
where  no  single  point  of  trust  exists.  A  group  key  allows  nodes  to  securely  communicate  with  each  other  and 
participate  in  collaborative  tasks.  The  dynamic  property  of  the  network  allow  new  nodes  to  join  or  exiting  nodes 
to  leave  the  group.  This  is  an  essential  mechanism  in  applications  such  as  1  and  2  listed  above.  We  consider 
heterogeneous  networks  consisting  of  two  types  of  nodes:  typical  low  performance  sensor  nodes  and  more  powerful 
nodes  with  more  computation  and  communication  resources.  It  has  been  recently  shown  [7, 1]  that  networks  that 
consist  of  homogeneous  nodes  cannot  scale  well  and  also  have  lower  performance  compared  to  networks  that 
include  a  number  of  more  powerful  nodes.  Introducing  more  powerful  nodes  also  improves  reliability  and  lifetime 
of  the  network  [1].  Furthermore  [14]  showed  that  pairwise  communication  security  in  the  presence  of  a  TTP  is  not 
necessarily  sacrificed  if  a  key  distribution  scheme  leverages  the  existence  of  more  capable  nodes. 

1.1  Related  Work 

The  first  work  on  key  pre-distribution  in  ad  hoc  network  without  a  TTP  is  due  to  Chan  [3].  In  this  construction 
each  group  member  individually  selects  his  keys  from  a  common  public  key  pool  in  a  specified  way.  The  aim  of  the 
protocol  is  to  probabilistically  construct  a  Cover  Free  Family  (CFF)  that  will  ensure  shared  keys  between  nodes. 
After  the  key  selection  phase,  nodes  follow  a  shared  key  discovery  protocol  that  uses  homomorphic  encryption  to 
discover  nodes’  shared  keys.  Chan  showed  that  his  proposed  protocol  allows  any  two  nodes  to  communicate  securely 
with  a  high  probability  and  the  system  provides  security  against  collusion  attack.  However,  [15]  showed  that  the 
probability  that  the  constructed  structure  is  a  CFF,  is  very  low  and  so  the  protocol  cannot  achieve  its  suggested 
goal. 

The  closest  work  to  our  scheme  (in  fact  motivation  of  our  work)  is  Luo  et.  al  [13]  which  has  been  inspired 
by  Chan’s  work.  Luo  et.  al  propose  a  probabilistic  group  key  management  protocol  (referred  to  as  LSBS)  for  ad 
hoc  networks  and  assume  homogenous  nodes.  The  objective  of  LSBS  is  to  establish  a  common  shared  key  for  the 
whole  group.  The  protocol  consists  of  three  phases.  In  the  first  step,  nodes  agree  on  system  parameters  and  a 
public  key  pool.  Then  each  node  randomly  selects  a  set  of  keys  from  the  key  pool  in  accordance  with  the  protocol 
specification,  and  performs  a  shared  key  discovery  (SKD)  protocol  with  each  neighboring  node  to  discover  shared 
keys.  The  group  key  is  generated  by  special  subsets  of  nodes  called  initiating  groups  (IG),  and  is  distributed  by 
flooding  the  network.  Authors  show  that  the  success  probability  of  establishing  a  group  key  can  be  made  very  high 
if  the  size  of  the  key  ring  is  chosen  appropriately  and  keys  are  selected  from  a  structured  key  pool  according  to  a 
specified  strategy.  Authors  analyzed  the  security  of  the  protocol  against  an  eavesdropping  adversary  who  tries  to 
guess  the  key  ring  of  a  node,  or  the  secret  key  that  is  used  to  secure  the  communication  of  two  nodes. 

Shortcomings  of  LSBS  protocol.  Although  LSBS  protocol  achieves  its  stated  goal,  in  practice  there  are  chal¬ 
lenges  that  if  not  addressed  makes  the  protocol  impractical.  The  following  is  a  list  of  the  more  stringent  shortcomings 
of  the  protocol. 

1.  LSBS  implicitly  assumes  that  a  single  IG  is  formed  where  in  practice  many  IGs  may  simultaneously  exist.  In 
fact  our  simulation  results  show  that  in  a  network  of  1000  nodes,  where  each  node  has  a  key  ring  of  size  150  keys, 
we  can  form  up  to  100  IGs.  To  obtain  a  single  group  key  for  all  nodes  some  mechanism  for  negotiation  and/or 
cooperation  among  IGs  is  required.  Both  these  approaches^  however  substantially  increases  the  communication 
and  computation  cost  which  is  very  undesirable  in  a  resource  constrained  network.  The  solutions  also  needs  to  be 
carefully  designed  to  prevent  security  compromise. 

2.  The  communication  cost  of  the  shared  key  discovery  (SSD)  phase  of  the  protocol  is  0{l)  where  I  is  the  size  of 
the  key  ring.  LSBS  requires  a  node  u  to  execute  the  SSD  protocol  with  all  of  its  neighboring  nodes.  If  on  average  a 
node  is  in  the  neighborhood  of  d  other  nodes,  a  communication  cost  of  0{d  ■  1)  per  node  is  incurred.  For  networks 
with  battery  powered  nodes  it  is  essential  to  reduce  this  cost  in  order  to  prolong  network  lifetime. 

3.  LSBS  is  analyzed  using  a  simple  threat  model  that  does  not  take  into  account  real  life  threats  in  a  wide  range  of 
application  scenarios.  The  adversary  is  considered  passive  and  can  only  eavesdrop  on  the  communications.  Given 
that  the  key  pool  is  public,  the  adversary’s  objective  is  to  either  determine  the  node  key  or  the  link  key  that  secures 
the  link  between  two  nodes. 

In  sensor  networks  it  is  common  to  assume  that  the  adversary  can  compromise  a  subset  of  nodes  and  obtain 
the  secret  information  of  the  nodes.  Such  information  includes  the  key  rings  of  the  node  and  the  keys  that  the 

®  For  example  IGs  may  negotiate  amongst  themselves  to  determine  a  single  IG  that  is  responsible  for  group  key  generation. 
Implementing  a  fair  and  democratic  negotiation  in  general  would  be  hard  to  implement.  An  alternative  approach  would 
be  to  allow  all  IGs  to  contribute  partial  shares  of  the  group  key  and  distribute  these  shares  to  the  rest  of  the  network  via 
flooding. 


nodes  share  with  their  neighbors.  This  latter  information  will  reduce  the  effort  required  for  finding  the  key  rings  of 
uncompromised  nodes,  and/or  the  link  keys  for  links  between  the  compromised  node  and  its  neighbor  nodes. 

1.2  Our  Contribution 

In  this  paper,  we  propose  a  Layered  Key  Pre-Distribution  (LKD)  Scheme  for  networks  of  heterogenous  nodes: 
resource  constrained  nodes  (level  2  or  L2)  and  a  small  number  of  high  performance  nodes  (level  1  or  LI).  LI  nodes 
have  more  resources  and  are  possibly  better  protected  (e.g.  use  tamper  proof  hardware) .  LKD  uses  an  unbalanced 
distribution  of  keys,  where  LI  nodes  are  allocated  a  larger  key  ring.  The  Ll-centric  clusters  that  are  formed  result 
in  more  efficient  generation  of  group  keys. 

We  give  a  probabilistic  analysis  of  the  protocol  and  show  that  the  inclusion  of  a  small  number  of  more  powerful 
nodes  in  the  network  results  in  constant  communication  and  computation  cost,  independent  of  the  neighborhood 
size  of  a  node. 

We  support  our  evaluation  of  LSBS  (e.g  formation  of  multiple  IGs)  and  our  analysis  of  LKD  by  simulating 
a  network  of  1000  nodes  where  approximately  6%  of  the  nodes  are  more  powerful.  An  interesting  byproduct  of 
our  simulation  has  been  the  uncovering  of  a  number  of  details  that  must  be  addressed  when  the  protocol  is  used 
in  practice.  For  example,  a  node  may  belong  to  multiple  IGs  and  there  must  be  an  efficient  decision  strategy  to 
participate  in  a  single  one.  Another  example  is  how  to  ensure  the  neighborhood  condition  is  satisfied  for  all  the 
nodes  in  an  IG. 

We  next  evaluate  the  security  of  the  protocol  in  a  strengthened  security  model.  We  argue  that  with  a  public 
key  pool  and  without  a  TTP,  previous  proposed  threat  models  and  security  metrics  such  as  network  resiliency  [5, 
8],  which  assumed  secret  key  pool  and  a  TTP,  are  no  longer  valid.  We  update  these  definitions  for  our  new  system 
and  trust  model  and  define  a  new  security  metric  called  neighbor  resiliency.  We  analyze  the  security  of  both  LKD 
and  LSBS  under  this  new  threat  model.  Our  analysis  shows  that  LKD  achieves  better  security  than  LSBS  against 
node  compromising  adversaries  because  sensing  nodes  in  LKD  learn  much  less  information  about  the  nodes  in  their 
neighborhood. 

The  paper  is  organized  as  follows:  Section  2  describes  our  network  and  trust  model;  Section  3  introduces  the 
LKD  protocol;  Sections  4,  5  provide  the  correctness  and  the  security  analysis  of  the  LKD  protocol;  Section  6 
supports  the  theoretical  analysis  with  simulation  results.  We  also  include  theoretical  and  simulation  analysis  of 
LSBS  to  point  out  its  shortcomings.  We  provide  concluding  remarks  and  future  directions  in  Section  7. 


2  System  Model 

We  consider  the  network  to  be  fully  self-organized,  meaning  that  there  is  no  infrastructure  (hence  no  public  key 
infrastructure).  Traditional  network  models  considered  for  sensor  models  not  only  assume  a  homogeneous  network 
but  also  assume  either  a  grid  or  a  random  graph  [8, 5]  model  where  all  neighboring  nodes  are  in  communication 
contact.  A  more  realistic  model  takes  into  consideration  the  various  signal-blocking  barriers  and  interference  sources 
such  as  hills  and  buildings  that  exist  in  the  deployed  environment.  In  practice,  deployed  nodes  are  often  segregated 
into  exclusive  neighborhoods  due  to  the  features  of  the  landscape  [14].  Our  model  accounts  for  this  by  considering 
a  cluster  based  network,  where  sensor  nodes  form  ad  hoc  groups  around  more  powerful  nodes  which  act  as  the 
backbone  of  the  network.  Therefore  the  sensor  nodes  connect  to  the  rest  of  the  network  through  the  powerful 
‘gateway’  nodes. 

We  assume  a  heterogeneous  sensor  network  of  size  n  consisting  of  two  types  of  nodes:  sensing  or  level  2  (L2) 
nodes  which  are  resource  constrained  and  have  limited  storage  and  energy  capabilities  and  level  1  (LI)  nodes 
which  are  more  capable,  with  larger  memory,  more  powerful  transceivers  and  energy  source.  As  a  result  LI  nodes 
can  store  larger  key  rings  and  other  state  data  as  well  as  communicate  with  a  larger  neighborhood  of  nodes.  The 
network  consists  of  c  LI  nodes  and  (n  —  c)  L2  nodes.  Example  L2  nodes  are  small  Berkeley  Mica2  motes  with  8-bit 
4MHz  processors  and  128  KB  memories  [2].  LI  nodes  can  be  more  powerful  nodes  such  as  laptops,  mobiles  or  other 
portable  devices.  Many  such  devices  have  better  physical  protection  against  compromise,  such  as  the  use  of  tamper 
resistance  hardware.  However  for  simplicity,  we  assume  the  same  type  of  protection  for  LI  and  L2  nodes.  We  also 
assume  that  each  node  Ui  has  a  unique  identifier  i. 

Trust  Model.  We  assume  that  the  network  has  no  central  authority  or  a  single  trusted  third  party.  Each  node 
essentially  acts  as  its  own  domain  authority.  Public  information  such  as  the  key  pool  is  available  to  all  network 
parties,  including  malicious  parties. 

Authentication.  Since  we  do  not  assume  any  trusted  third  parties,  it  is  impossible  to  establish  strong  authen¬ 
tication  and  identification  amongst  network  nodes.  We  weaken  our  requirements  such  that  to  control  the  join  of 


Fig.  1.  A  heterogenous  sensor  network  with  two  types  of  nodes,  LI  and  L2. 


malicious  nodes  to  the  group,  we  assume  some  auxiliary  identification  mechanism  for  nodes  (e.g.  node  hardware). 
Details  of  such  a  mechanism  is  outside  the  realm  of  our  work. 

3  Layered  Key  Pre-Distribution  (LKD)  Scheme 

In  this  section  we  describe  the  LKD  scheme  to  establish  both  pairwise  and  group  keys  in  a  self-organized  network 
that  does  not  have  a  TTP.  The  heterogenous  network  consists  of  resource  constrained  nodes  (L2)  and  more  capable 
nodes  (LI)  that  contain  a  larger  portion  of  the  key  pool  than  L2  nodes.  It  follows  that  LI  nodes  are  able  to  establish 
secure  links  with  a  larger  portion  of  the  nodes.  In  each  neighborhood,  local  (/,  r)-secure  groups  are  established  where 
I  denotes  the  security  level  and  r  is  the  minimum  number  of  nodes  in  the  group.  We  will  show  later  that  r  does 
not  effect  the  security  of  the  protocol  and  is  used  for  efficiency  purposes.  Local  groups  in  a  neighborhood  together 
generate  a  cluster  group  key  which  are  exchanged  to  contributively  generate  a  network  group  key.  We  ensure  that 
the  key  generated  in  each  layer  (i.e.  local,  cluster  or  network)  is  independent.  The  overall  algorithm  consists  of  the 
following  phases:  initial  setup,  neighborhood  discovery,  cluster  and  group  key  generation,  join  and  leave.  Figure  2 
the  outline  of  the  steps  of  the  protocol. 


Initial  Setup.  Nodes  agree  on  network  parameters  and  select  keys  rings. 

Neighborhood  Discovery.  Nodes  discover  the  node  types  in  their  neighborhood.  If  an  L2  node  discovers  an  LI 
node  as  a  neighbor,  it  executes  the  shared  key  discovery  phase  which  consists  of  a  private  set  intersection  protocol. 
A  secure  link  can  be  established  between  the  LI  and  L2  nodes  based  on  their  shared  keys.  LI  nodes  keep  an 
account  of  all  the  L2  nodes  in  their  neighborhood  by  computing  an  incidence  matrix. 

Cluster  and  Group  Key  Generation.  LI  nodes  use  the  incidence  matrix  to  assist  their  neighboring  nodes  to 
form  local  {I,  r)-secure  groups.  Each  local  group  contributively  generates  a  partial  cluster  and  group  key.  The 
cluster  and  group  keys  are  thus  generated  democratically  by  a  large  portion  of  the  neighborhood  nodes. 

Join.  A  newly  deployed  node  joins  the  network. 

Leave.  A  possibly  malicious  node  departs  from  the  network. 


Fig.  2.  Outline  of  LKD  protocol. 


3.1  Initial  Setup 

In  this  phase  nodes  agree  on  parameters  used  in  the  protocol.  The  system  parameters  include  a  public  key  pool 
and  its  partition  into  n  blocks  of  size  m  each.  The  security  parameter  is  I  which  defines  the  level  of  link  security 
by  specifying  the  minimum  number  of  keys  two  nodes  need  to  share  to  establish  a  secure  communication  channel. 
The  size  of  the  key  rings  of  LI  and  L2  nodes  are  also  set  to  kA  and  ks- 

We  note  that  these  parameters  can  either  be  set  by  the  node  manufacturers  or  during  an  initial  setup  phase 
prior  to  deployment. 

Distributed  Key  Riug  Selectiou:  A  node  Ui  randomly  selects  one  key  from  each  key  block  to  form  a  key  ring 
{Kl,  ...,  K^},  where  k  =  kA  for  an  LI  node  and  k  =  ks  for  an  L2  node.  Assume  that  ks  is  equal  to  the  number 
of  blocks  in  the  key  pool,  k.  Since  kA  >  ks,  an  LI  node  needs  to  choose  more  than  one  key  from  each  block.  We 
define  the  following  strategy  for  key  ring  selection  of  LI  nodes. 


LI  uode  Key  Selectiou: 


—  Let  kA  =  iks  +  s,  where  t,s  gZ.  Select  t  keys  from  block  1  to  {k  —  s). 

—  Select  {t  +  1)  keys  from  blocks  (A:  —  s)  +  1  to  block  k  (in  total  s  key  blocks). 


3.2  Neighborhood  Discovery  Phase 

In  this  phase,  LI  nodes  initially  send  beacons  identifying  themselves  as  ‘LI’  nodes  to  their  neighborhood  nodes. 
The  beacon  message  for  LI  node  Ui  can  take  the  simple  syntax  of  <  i,  LI  >  where  i  is  the  node  identifier. 

An  L2  node  ‘discovers’  an  LI  node  when  it  hears  its  beacon  message.  To  establish  a  secure  channel  with  the  LI 
and  help  populate  Li’s  incidence  matrix,  it  runs  a  secure  shared  key  discovery  (SSKD)  protocol,  reminiscent  of  [3, 
13].  This  SSKD  protocol  is  essentially  a  privacy  preserving  set  intersection  protocol  that  allows  the  two  participating 
parties  to  discover  their  shared  keys  from  their  individual  key  sets. 

For  LI  node  Vi,  the  incidence  matrix  P  has  k  columns  labeled  by  the  node  keys  K\,  -  ■  ■  K^,  and  one  row  for  each 
neighbor.  P(j,t)  =  1  if  Kl  is  shared  with  node  Uj  in  the  neighborhood  of  Vi,  and  zero  otherwise.  The  incidence 
matrix  of  Vi  can  be  used  to  keep  an  account  of  the  keys  shared  by  the  nodes  in  Li’s  neighborhood,  given  that 
the  keys  are  shared  with  Vi.  This  property  is  important  as  it  maintains  the  optimal  privacy  for  the  neighboring  L2 
nodes.  Specifically  Vi  does  not  learn  any  information  about  the  key  ring  of  its  neighboring  nodes  other  than  the 
shared  key  information  it  learns  during  the  execution  of  the  SSKD  protocol. 

If  an  L2  node  is  not  directly  connected  to  an  LI  node  (i.e.  it  is  isolated  from  an  L2),  it  simply  waits  and  performs 
the  join  protocol  after  the  key  establishment  protocol  is  complete. 

In  this  step,  LI  nodes  also  discover  each  other  and  establish  an  Lsecure  channel  between  pairs  of  nodes.  This 
communication  network  forms  the  backbone  of  the  larger  network. 


Secure  Shared  Key  Discovery  (SSKD)  Consider  the  case  when  node  Uj  wants  to  discover  the  keys  it  shares 
with  node  Ui.  Let  Ui  have  keys  K),  ATI,  ...,K/  and  uj  have  Kf, ...,  where  l,m  G  Z.  Assume  the  existence  of  a 
homomorphic  encryption  scheme,  where  E]^(m)  denotes  encrypting  message  m  using  key  k.  The  SSD  protocol  is  as 
follows: 

1.  Ui  forms  polynomial  fi{x)  =  {x  —  Kl)...{x  —  AT))  and  send  to  Uj  the  encrypted  coefficients,  A;^.(-). 

2.  Uj  computes  Zg  =  {rfi(K^))  using  the  homomorphic  property  of  the  encryption  scheme,  where  r  is  a  random 

number.  Uj  returns  Zg  to  Ui. 

3.  Ui  decrypts  Zg  to  obtain  rfi{K^).  If  the  value  is  zero,  then  they  have  a  common  key. 

4.  Ui  returns  to  Uj  an  m-bit  bitmap  with  1  at  bits  where  rfi{K^)  =  0  and  0  elsewhere. 

In  contrast  to  LSBS,  our  SSKD  protocol  requires  the  nodes  to  exchange  an  m-bit  bitmap  indicating  the  shared 
keys  of  the  participating  nodes  (step  4).  The  main  reason  for  this  inclusion  is  that  unlike  LSBS,  in  our  protocol, 
LI  nodes  can  select  more  than  one  key  from  each  block.  Therefore  nodes  must  indicate  which  key  in  the  block  is 
shared  or  not,  using  the  bitmap.  LSBS  considers  a  homogeneous  network  where  every  node  picks  one  key  from  each 
key  block. 


Securing  Bitmap  Transmission  A  potential  security  leakage  is  the  bitmap  exchange  step  of  the  SSD,  which 
identifies  to  an  eavesdropper  the  number  of  shared  keys  of  two  nodes.  This  can  aid  a  smart  adversary  to  compromise 
a  neighboring  node  which  shares  the  most  keys  with  a  target  node,  as  well  as  reducing  the  search  space  for  the 
channel  securing  key. 

The  following  protocol  takes  advantage  of  the  privacy  preserving  characteristics  of  a  homomorphic  encryption 
scheme  such  as  El  Gamal  [9].  We  show  that  although  El  Gamal  is  a  public  key  encryption  scheme,  our  scheme 
does  not  require  the  public  key  infrastructure  (which  inherently  assumes  a  TTP)  or  the  computationally  expensive 
computations  generally  associated  with  public  key  schemes.  Therefore  its  use  in  our  protocol  is  practical. 

Assume  node  Ui  wants  to  privately  send  a  k-hit  bitmap  b  to  node  Uj.  We  use  the  multiplicative  homomorphic 
properties  of  the  El  Gamal  [9]  encryption  scheme  for  Ui  to  send  b  to  Uj.  Specifically  this  property  is  defined  as: 
EK{xnim2)  =  Ex{mi)  x  Ex{m2)  where  Ex{m)  is  the  encryption  of  m  using  key  AT. 

Let  the  El  Gamal  public  key  of  Uj  be  {g,  h)  and  the  secret  key  be  {x  =  loggh). 

Uj  Ui:  r,d  ^  {0, 1}*;  Send  <  Ci,  (72  >=<  g^ ,  h'^  ■  d  >,  {g,  h) 

Ui  ^  uj:  r'  ^  {0,1}*;  Send  <  (73,(74  >=<  Cig'"' ,C2h'~'  -m  > 

Uj :  bitmap  b  = 


Node  Uj  encrypts  a  dummy  message  d  and  sends  to  Ui  the  ciphertext  and  its  public  key.  Ui  multiplies  the 
bitmap  with  the  ciphertext  and  randomizes  the  message  using  r' .  Using  its  private  key  Uj  can  decrypt  the  processed 
ciphertext  and  obtain  the  bitmap.  This  protocol  ensures  that  the  bitmap  remains  private  to  Ui,Uj  assuming  the  El 
Gamal  encryption  scheme  is  secure. 

By  loading  nodes  with  a  set  of  random  r  values  and  associated  during  the  setup  phase  it  is  possible 

to  reduce  the  amount  of  computation  needed  to  simply  one  exponentiation  and  two  multiplications  per  node. 
Furthermore  we  note  that  although  we  are  using  public  key  cryptography,  we  do  not  rely  on  the  existence  of  a 
PKI  and  therefore  we  preserve  the  distributed  nature  of  the  network.  Finally,  we  point  out  that  this  step  is  only 
performed  once  or  twice  by  sensing  nodes  through  out  their  lifetime.  In  fact  by  using  the  following  strategy  we  can 
reduce  this  step  to  be  used  only  when  necessary: 

Strategy:  Initiate  this  protocol  if  and  only  if  there  are  shared  keys.  If  there  are  no  shared  keys,  simply  send  a 
NULL  message. 

We  emphasize  that  using  the  El-Gamal  protocol  to  secure  bitmap  transmission  is  an  optional  step  that  can 
still  be  omitted  in  order  to  conserve  energy.  That  is,  we  trade  security  for  efficiency.  An  optional  symmetric  key 
protocol  which  achieves  some  measure  of  security  as  long  as  the  adversary  has  not  compromised  any  nodes  is  to 
use  a  global  secret  key  to  privately  transmit  the  bitmap. 

3.3  Cluster  and  Group  Key  Generation 

In  this  phase,  LI  nodes  Vi  use  their  incidence  matrix  P  to  assist  the  nodes  in  their  neighborhoods  to  initiate  local 
{l,r)  groups  where  a  minimum  of  r  nodes  share  I  keys.  This  is  done  by  finding  a  set  of  r  rows  IZ  and  at  least 
I  columns  C  in  the  incidence  matrix  for  which  an  (Z,r)-secure  subset  can  be  formed.  The  formation  of  the  local 
groups  allow  Vi  to  communicate  to  a  group  of  nodes  via  multicast  thus  reducing  communication.  Also  nodes  in 
local  groups  contribute  to  the  formation  of  the  cluster  keys  thus  preventing  the  selection  of  weak  keys. 

Once  this  local  {l,r)  group  is  formed,  Vi  informs  the  group  members  of  their  group  membership  using  secure 
channels.  Local  group  members  now  can  communicate  securely  using  their  secret  group  key  K^,  where  = 
Ki  0  ...0 where  {Kf, ...,  }  are  the  set  of  shared  keys  in  the  local  group  L.  Each  local  group  L  contributively 

generates  a  partial  cluster  key  Kq  in  order  to  democratically  agree  on  a  cluster  key  Kc.  We  note  that  potentially 
two  L2  nodes  which  are  not  in  direct  communication  can  belong  to  the  same  local  group.  This  is  because  they  have 
a  smaller  transmission  range  than  the  LI  nodes.  In  this  case,  the  LI  node  can  be  used  as  an  intermediate  routing 
point  to  forward  messages.  It  is  also  possible  to  reduce  this  form  of  routing  if  we  assume  a  directed  antenna  for  the 
LI  nodes.  Then  the  LI  node  can  group  an  {l,r)  subset  together  if  and  only  if  they  are  in  the  same  vicinity. 

Gluster  Key  Generation.  We  require  that  all  members  of  the  local  group  L  contribute  in  the  generation  of 
the  partial  cluster  key  Kq.  To  form  a  partial  cluster  key  nodes  in  L: 

1.  For  all  Ui  G  L: 

—  Ui  randomly  selects  its  key  share  sp, 

—  Ui  encrypts  Ex^isi)  and  broadcasts  to  L; 

2.  For  all  Uj  G  L,j  ^  i,  Ui  decrypts  Dx^isj).  The  partial  cluster  key  by  group  L  is  calculated  as  Kq  =  si0...0Sc. 

We  note  that  LI  node  Vi  can  overhear  all  communications  in  its  neighborhood  since  it  also  shares  the  local 
group  key.  Once  all  partial  cluster  keys  are  generated,  Vi  computes  the  final  cluster  key  Kc  =  Kq^  0  ...  0 
where  {  Li,  ...,Lx  }  are  the  set  of  local  groups  formed  in  the  neighborhood.  Vi  can  then  transmit  the  final  cluster 
key  to  its  neighborhood  nodes  using  the  secure  local  group  keys. 

Group  Key  Generation.  The  group  key  can  be  generated  similar  to  the  cluster  key  by  requiring  nodes  to 
select  a  key  share  for  the  group  key  along  with  the  cluster  key  share.  LI  nodes  then  exchange  the  partial  group  key 
generated  in  their  neighborhoods  to  arrive  at  the  final  group  key. 

3.4  Join 

A  newly  deployed  node  Ui  can  join  the  network  by  establishing  an  Lsecure  channel  to  a  node  Uj  which  already 
belongs  to  the  secure  group.  Uj  essentially  acts  for  Ui  as  the  ‘gateway’  to  the  network.  To  achieve  forward  security, 
the  cluster  and  group  key  of  the  cluster  and  whole  group  respectively,  is  renewed  by  applying  a  one  way  function 
to  the  current  session  key.  Uj  then  forwards  the  new  session  key  to  Ui  using  the  secure  channel.  The  nodes  use  the 
previously  described  SSKD  protocol  to  discover  at  least  I  shared  keys  and  establish  a  secure  channel.  If  they  cannot 
do  so,  Ui  contacts  other  nodes  in  its  neighborhood.  As  a  result  the  new  node  only  knows  the  keys  it  shares  with 
the  ‘gateway’  node  as  well  as  any  previous  nodes  it  had  contacted  prior  to  establishing  the  secure  channel. 


Similarly  an  L2  node  which  is  isolated  from  the  neighborhood  LI  node  due  to  either  being  out  of  the  range  of 
the  LI  node  or  by  not  being  to  establish  a  secure  channel  with  LI  in  the  key  establishment  phase,  can  join  the 
group  using  the  above  protocol. 

3.5  Leave  and  Node  Revocation 

If  an  L2  node  Ui  decides  to  leave  the  group,  the  neighborhood  LI  node  Vi  can  use  its  incidence  matrix  to  determine 
the  keys  that  a  departing  node  has  in  common  with  the  other  nodes  in  its  neighborhood  and  if  need  be,  purge  these 
keys.  It  then  alerts  the  nodes  in  L,  the  local  group  of  Ui,  to  also  purge  their  key  rings.  As  a  result,  the  departing 
node  no  longer  has  any  information  regarding  the  key  rings  of  the  nodes  in  its  neighborhood. 

If  the  departing  node  is  malicious,  the  cluster  may  decide  to  not  only  purge  the  keys  but  also  to  compute  a 
new  cluster  and  group  key.  As  such,  Vi  randomly  selects  another  local  group  V  in  its  neighborhood  and  requests 
the  nodes  in  L'  to  re-execute  the  cluster  key  generation  protocol  to  generate  .  The  node  Vi  then  recomputes 
the  cluster  and  group  keys  and  securely  transmits  them  to  the  effected  nodes.  The  new  cluster  and  group  keys  are 
independent  of  the  old  keys  since  is  a  random  value. 

Note  that  the  existence  of  the  local  groups  allows  the  re-generation  of  the  cluster  and  group  key  to  be  very  effi¬ 
cient.  Furthermore  by  randomly  selecting  the  local  group,  Vi  distributes  the  added  computation  and  communication 
load  uniformly  amongst  the  nodes  in  its  neighborhood. 

4  Correctness  Analysis 

In  this  section  we  show  the  correctness  of  the  LKD  protocol.  We  say  that  LKD  is  correct  if  the  protocol  allows  the 
‘backbone’  Ll-network  as  well  as  the  cluster  of  L2  nodes  around  an  LI  node,  to  be  connected  and  thus  functioning 
with  a  high  probability.  Later  we  verify  our  results  by  simulation.  In  the  next  section  we  analyze  the  security  of 
the  protocol  against  both  a  passive  and  an  active  adversary. 

In  our  theoretical  analysis  we  limit  the  key  ring  size  of  LI  nodes  kA  =  t  ■  ks  +  s  as  follows  (ks  is  the  key  ring 
size  of  L2  nodes):  t  =  1,  s  =  [0..fcB].  In  the  following,  we  will  first  analyze  the  case  where  s  =  ks  and  then  when  s 
can  be  assigned  any  value  from  [O..A:b].  To  establish  an  /-secure  link,  two  nodes  share  at  least  /  keys. 

For  readability  purposes,  in  the  rest  of  the  paper  we  use  the  notation  A  and  B  to  refer  to  LI  and  L2  nodes 
respectively. 

4.1  Case  1:  =  2kB,  where  s  —  ks 

We  have  the  following  proposition,  with  proof  provided  in  Appendix  A. 

Proposition  1.  Let  PB{r,l)  denote  the  probability  that  r  L2  nodes  share  I  keys,  Pa, 3(1", 1)  denote  the  probability 
that  a  group  of  (r  —  1)  L2  nodes  and  one  LI  node  share  at  least  I  keys  and  Pa,a{2,  1)  denote  the  probability  of  two 
LI  nodes  sharing  I  keys.  Then,  we  have  the  following. 

-  1)'=-'  (1) 

(2) 


2a+0=l 

The  probabilities  above  are  derived  by  finding  the  probability  that  two  nodes  share  a  key  in  a  key  block  and 
then  adding  these  independent  events  to  obtain  the  appropriate  binomial  coefficients.  The  main  difference  between 
Psir,  1)  and  PA,B{r,  1)  is  the  probability  of  sharing  a  key  in  a  block,  which  changes  from  A  to  To  find  Pa,a{2,  /), 
we  need  to  consider  the  case  when  nodes  share  0,  1  or  2  keys  in  a  key  block.  In  the  above  formula,  a  and  (3  represent 
blocks  that  share  2  and  1  keys  respectively.  We  need  not  consider  blocks  that  do  not  contribute  any  keys. 

Figure  3(a)  graphs  the  obtained  probability  equations,  comparing  the  probabilities  of  two  nodes  establishing  an 
/-secure  channel  for  different  node  types,  when  the  key  pool  is  made  up  of  200  blocks,  with  a  block  size  of  five  keys. 
We  can  see  a  rapid  transition  in  the  probability  of  establishing  an  /-secure  channel  for  different  /.  For  example. 
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(a)  Two  nodes 


(b)  (r  —  1)  L2  nodes  and  one  LI  node 


Fig.  3.  Probability  of  (a)  two  nodes  and  (b)  r  nodes,  establishing  an  Z-secure  channel,  where  Ua  =  2fcs. 


as  can  be  seen  in  the  graph,  once  I  approaches  30  for  two  L2  nodes,  the  probability  of  establishing  a  secure  link 
rapidly  drops  off  from  1  to  0. 

Figure  3(b)  generalizes  the  node  pair  to  groups  of  r  nodes.  It  is  intuitive  that  establishing  an  /-secure  channel 
becomes  less  probable  as  the  group  size  increases.  We  also  note  that  when  there  is  a  high  probability  for  /-secure 
channel  among  r  nodes,  the  probability  of  establishing  a  secure  channel  between  two  LI  nodes  will  be  an  even 
higher  value.  It  is  also  interesting  to  note  that  the  phase  transition  becomes  slower  as  the  number  of  nodes  in  the 
group  increases. 


4.2  Case  2:  —  ks  +  s,  where  s  6  [0,  fc^] 

Let  set  S  consist  of  the  s  key  blocks  from  which  an  LI  node  selects  two  keys  and  let  S  consist  of  the  remaining 
k  —  s  key  blocks. 

Let  Pa,b{t,  1)  be  the  probability  of  r  nodes  (one  LI  node  and  (r  —  1)  L2  nodes)  sharing  at  least  /  keys.  Let  be 
the  event  that  r  nodes  share  a  key  in  a  given  block  x.  The  probability  that  occurs,  is  equal  to  Ps  for  blocks  x  €  S, 
and  Ps  for  x  G  S.  Key  collisions  for  each  block  can  be  modeled  as  independent  Bernoulli  trials.  The  generating 
function  for  probabilities  Pa,b{t,1)  is  calculated  as  the  product  of  two  binomials  with  success  probabilities  of  Ps 
and  Ps'- 

f{x)  =  {psx  +  (1  -  ps)y{psx  +  (1  -  Ps)y~°  (4) 


Proposition  2.  The  probability  that  the  r  nodes  share  exactly  I  keys  is  equal  to  the  coefficient  Ci  of  the  x*  term 
in  polynomial  equation  4,  and 


ks 

PA,B{r,l)^^Ci  (5) 

i  —  l 

where  Ci  is  the  coefficient  of  the  x*  term  in  /(x)  and  ks  denotes  the  size  of  the  key  ring  of  L2  nodes  f 

Proposition  3.  Let  Pa,a{‘2,  1)  be  the  probability  of  two  LI  nodes  sharing  at  least  I  keys.  Let  a,  (3, 7  be  non-negative 
integers  satisfying  2a  P  j  =  1. 

Pa.a{2,1)=  E  OiT)  Pi  (6) 

2q;  +  /3+7=Z 

where  pi  is  the  probability  of  sharing  i  keys  for  the  first  s  blocks  and  pi  is  the  probability  of  sharing  i  keys  for  the 
remaining  k  —  s  blocks. 

This  proposition  is  based  on  the  fact  that  the  first  s  blocks  can  contribute  0,  1  or  2  shared  keys  per  block,  and 
the  last  {k  —  s)  blocks  can  contribute  0  or  1  shared  keys  per  block.  In  the  above  formulae,  a  represents  blocks  that 
share  2  keys  and  /3  and  7  represent  blocks  that  share  only  1  key  in  S  and  S  respectively. 

^  Examples  to  illustrate  how  the  above  proposition  can  be  used  are  provided  in  Appendix  B. 


(a)  Two  nodes 


/OM 


(b)  (r  —  1)  L2  nodes  and  one  LI  node 


Fig.  4.  Probability  of  (a)  two  nodes  and  (b)  r  nodes,  establishing  an  /-secure  channel,  where  /ca  =  -|-  s. 


Figure  4(a)  graphs  the  probability  of  establishing  an  /-secure  channel  between  an  LI  node  and  an  L2  node  for 
different  values  of  s.  The  results  confirm  intuition  by  showing  that  as  the  key  ring  of  an  LI  node  becomes  larger, 
the  probability  of  a  secure  connection  with  a  L2  node  increases.  A  similar  result  is  verified  in  Figure  4(b)  when  we 
consider  r  nodes,  consisting  of  one  LI  node  and  (r  —  1)  L2  nodes. 

In  a  more  general  version  of  this  problem,  a  node  can  select  extra  keys  from  any  block  of  its  choosing,  rather 
than  the  first  s  blocks.  It  is  intuitive  that  in  this  version  of  the  problem,  the  probabilities  of  establishing  an  /-secure 
channel  do  not  increase  to  the  same  extent  as  the  more  special  case  presented  above.  We  leave  the  analysis  of  this 
problem  as  a  future  exercise. 

The  graphs  presented  in  this  section,  allow  a  network  administrator  to  choose  appropriate  values  for  the  system 
parameters.  In  the  following  section,  we  show  how  an  increased  key  ring  not  only  increases  the  probability  of 
establishing  a  secure  channel  (as  shown),  but  also  decreases  the  security  of  the  system.  It  is  therefore  important 
to  achieve  the  proper  balance  between  connectivity  and  security.  Section  6  gives  simulation  results  to  confirm  the 
presented  theoretical  results. 

5  Security  Model  and  Analysis 

5.1  Adversary  Model 

We  analyze  the  security  of  LKD  against  two  types  of  adversaries. 

1.  Passive  Adversary  (PA)  with  only  access  to  public  data  (key  pool),  description  of  the  protocol  and  transcript 
of  node  communications. 

2.  Node  Capturing  Adversary  (NCA)  with  access  to  all  the  information  available  to  a  passive  adversary,  and  also 
the  private  data  of  t  nodes  that  it  has  captured. 

Note  that  we  do  not  allow  an  NCA  adversary  to  interact  with  the  nodes.  That  is  we  only  consider  the  case  when 
the  adversary  uses  its  information  to  eavesdrop  on  others’  communication.  The  goal  of  both  adversaries  therefore, 
is  to  learn  the  secret  keys  between  nodes  that  are  used  to  secure  their  links. 

5.2  Security  Model  in  Key  Pre-distribution  Systems 

The  security  of  traditional  key  pre-distribution  schemes  that  assume  the  existence  of  a  TTP  [8,5,6, 11],  are  based 
on  the  facts  that  (i)  the  keys  in  the  key  pool  are  exclusively  secret  to  the  TTP,  (ii)  nodes  key  ring  are  private,  and 
(iii)  the  link  communication  is  confidential. 

In  this  model  an  adversary  cannot  introduce  a  ‘new’  device  into  the  network  because  even  if  there  is  no 
authentication  mechanism,  it  does  not  have  access  to  the  key  pool.  However  by  compromising  legitimate  nodes 
and  obtaining  their  key  rings  and/or  identities,  an  adversary  can  gain  entrance  into  the  secure  network.  The  more 
nodes  an  adversary  compromises,  the  more  it  learns  of  the  key  pool  and  the  more  effective  an  attack  it  can  launch 
against  a  target  secure  channel.  This  notion  is  captured  by  the  resiliency  of  the  protocol  against  node  compromise, 
where  resiliency  metric  is  defined  to  be  “the  fraction  of  links  in  the  network  a  node-compromising  adversary  is  able 


to  eavesdrop  on,  as  a  result  of  recovering  keys  from  captured  nodes”  [5] .  A  protocol  has  stronger  security  if  the 
adversary  is  forced  to  compromise  a  larger  percentage  of  the  nodes  to  eavesdrop  on  a  target  channel. 

Also,  in  [8,  5]  information  that  an  NCA  obtains  from  captured  devices  combined  with  the  key  indices  allows 
him  to  gain  information  about  the  keys  belonging  to  other  network  nodes. 

5.3  Security  Model  in  Self-Organizing  Networks 

The  security  of  the  SO  protocols  (such  as  LKD  and  LSBS)  does  not  rest  on  the  secrecy  of  the  key  pool;  in  fact,  the 
key  pool  is  considered  to  be  public  information  and  can  be  accessed  by  the  adversary.  This  means  that  if  there  are 
no  auxiliary  means  of  authentication,  the  adversary  can  introduce  a  malicious  node  v  with  the  aim  of  extracting 
key  information  from  a  victim  node  u:  v  can  choose  a  key  ring  and  run  SKD  with  u  to  find  out  a  subset  of  keys 
of  u  (that  they  share).  It  then  can  select  a  new  key  ring  and  repeat  the  protocol.  After  sufficient  runs  of  this,  v 
can  learn  all  the  keys  of  u.  This  means  that  it  is  crucial  to  assume  a  method  of  node  authentication  that  prevents 
the  adversary  from  introducing  nodes  of  its  choice.  Since  this  is  not  the  focus  of  our  paper,  we  do  not  consider  this 
scenario  and  leave  it  for  future  work. 

The  security  of  the  SO  protocols  is  based  exclusively  on  (i)  the  size  of  the  key  pool  and  (ii)  the  security  of  link 
keys.  In  LKD,  an  NCA  gains  only  local  information  from  a  compromised  node;  that  is,  it  learns  only  the  key  ring 
of  the  node  and  potentially  any  information  it  shares  with  nodes  it  associates  with.  In  the  case  of  LKD,  a  node 
Ui  associates  only  with  its  neighboring  nodes  A/),  and  by  compromising  Ui  an  adversary  learns  not  only  the  key 
ring  of  Ui  but  also  the  keys  it  shares  with  its  neighboring  nodes.  Therefore  by  compromising  Ui,  the  adversary  can 
tighten  its  search  space  when  attacking  (i)  a  link  between  two  nodes  where  at  least  one  is  neighbor  to  Ui  or  (ii)  the 
key  ring  of  a  node  neighbor  to  ut.  We  capture  this  notion  in  the  following  security  parameter  for  the  SO  model: 
Neighbor  resiliency  is  defined  as  the  fraction  of  the  key  pool  the  adversary  can  discard  in  its  exhaustive  key  search 
to  attack  a  target  secure  channel,  as  a  result  of  recovering  keys  from  neighboring  captured  nodes.  Another  security 
metric  we  consider  is  the  advantage  the  adversary  gains  in  determining  the  key  ring  of  a  node  when  it  is  in  the 
neighborhood  of  a  compromised  node. 

In  the  following,  we  analyze  LKD  against  first  a  passive  adversary  and  then  a  node  capturing  adversary. 


5.4  Analysis  of  Passive  Adversary 

An  eavesdropping  adversary  cannot  obtain  any  information  about  the  keys,  except  to  exhaustively  guess  at  the 
final  shared  key  between  nodes.  This  is  because  in  the  course  of  the  key  establishment  protocol,  no  information 
about  the  key  ring  of  the  nodes  is  leaked.  The  adversary  knows  that  there  are  N  =  mk  possible  keys  and  at  least  I 
keys  from  k  different  possible  blocks  are  used  to  secure  a  link.  Therefore,  the  search  space  for  the  attacker  is  equal 
to: 


(7) 


Similarly,  to  determine  the  key  ring  of  a  node  of  size  k,  the  adversary  must  exhaustively  search  {^)m^  possibilities. 


5.5  Analysis  of  Node  Capturing  Adversary  in  LSBS 

A  node  capturing  adversary  obtains  not  only  the  node’s  key  ring  but  also  the  incidence  matrix  that  contains  key 
information  about  its  neighboring  nodes.  In  particular,  it  learns  how  many  keys  are  shared  between  the  neighbors 
and  whether  the  captured  node  shares  any  of  these  keys  on  its  key  ring. 

Consider  three  nodes  Ui,  uj  and  Uc-  Assume  Ui  €  Afc,  Ui  €  A/),  and  Uc  is  a  compromised  node.  Let  k  be  the  size 
of  the  key  rings  of  Uc,Ui,Uj  respectively.  The  goal  of  the  adversary  is  to  break  the  secret  link  between  Ui,Uj. 

Case  1:  Uc  ^  A/j 

By  compromising  Uc,  the  adversary  obtained  the  following  information:  Uc  and  Ui  share  b  keys  and  do  not  share 
{kc  —  b).  To  guess  the  key  ring  of  Ui,  the  adversaries’  search  space  is  reduced  from  to  m^~^. 

The  search  space  to  exhaustively  guess  I  shared  keys  between  Ui  and  Uj  is  reduced  from  to  X]a=o  (^a^) 

We  can  easily  see  that  the  search  space  has  been  reduced  because: 


Therefore  the  search  space  to  break  an  l-secure  link  between  ut  and  Uj  is  equal  to: 


EE 


(8) 


The  neighbor-compromise  resiliency  can  be  obtained  from  Equations  7  and  8. 

Case  2:  Uc  &  Afj 

The  reduction  in  the  search  space  of  the  adversary  is  even  more  significant  when  the  adversary  can  compromise  a 
node  in  the  neighborhood  of  both  Ui  and  Uj .  In  this  case,  the  incidence  matrix  stored  in  Uc  leaks  how  many  keys  Ui 
and  Uj  share  as  well  as  the  keys  Uc  shares  with  either  of  these  two  nodes.  Let  bi  (or  bj)  be  the  number  of  keys  Uc 
shares  with  Ui  (or  Uj )  and  bij  is  the  number  of  keys  Uc  has  in  common  with  both  Ui  and  uj .  Let  £  be  the  number 
of  keys  Ui  and  Uj  share,  where  £  >  I  (since  Ui  and  Uj  can  establish  an  Z-secure  channel).  Therefore,  the  search  space 
to  break  the  security  of  an  Z-secure  channel,  has  been  reduced  from  Equation  7  to,  where  b  =  bi  +  bj  —  bij: 


k  X 


EE 


(9) 


5.6  Analysis  of  Node  Capturing  Adversary  in  LKD 

In  contrast  to  LSBS,  sensing  nodes  in  LKD  do  not  compute  an  incidence  matrix.  As  a  result  a  compromised  L2 
node  Uc  in  LKD  does  not  leak  any  keying  information  about  the  nodes  in  the  neighborhood  of  Uc-  Below  we  itemize 
the  information  an  adversary  learns  by  compromising  Uc'. 

—  The  keys  that  Uc  has  in  common  with  the  LI  node  in  its  cluster,  or  if  it  is  not  connected  to  an  LI  node,  the 
connecting  L2  node. 

—  If  it  is  part  of  an  (Z,r)-secure  local  group,  only  the  keys  it  shares  with  all  of  them. 

In  both  cases,  the  derived  metrics  are  identical  to  the  probabilities  of  Case  1  in  Section  5.5.  However  the  number 
of  links  and  nodes  to  which  these  reduced  probabilities  can  be  applied  to  has  been  decreased  dramatically.  This 
is  primarily  because  LKD  does  not  require  an  L2  node  to  connect  to  every  node  in  its  neighborhood.  Instead  the 
number  of  secure  connections  an  L2  node  needs  to  establish  as  well  as  the  keys  it  shares  with  neighboring  nodes 
has  been  reduced  to  only  those  that  are  necessary. 

In  the  event  that  an  adversary  compromises  an  LI  node  and  the  LI  node  does  not  have  any  tamper  resistant 
hardware,  the  adversary  gains  keying  information  about  all  the  nodes  in  its  neighborhood.  In  this  case  the  adversary 
gains  as  much  information  as  in  the  LSBS  protocol. 

Since  the  majority  of  the  nodes  in  the  network  are  L2  nodes,  we  can  conclude  that  on  average  the  advantage 
that  an  adversary  gains  by  compromising  nodes  in  LKD  has  been  reduced  and  therefore  LKD  is  more  secure  than 
LSBS. 

6  Simulation  and  Discussion 

In  this  section,  we  use  simulations  to  first  highlight  the  shortcomings  of  LSBS  in  a  practical  setting,  that  is,  the  large 
number  of  IG  that  are  formed  and  the  high  communication  cost  that  is  incurred.  We  then  show  the  correctness  of 
LKD  protocol  by  examining  the  established  connectivity  against  the  protocol  parameters.  We  conclude  by  showing 
the  improved  efficiency  of  the  scheme. 

6.1  Network  Architecture  and  Setup 

The  simulation  assumes  a  static  network  of  n  =  1060  nodes,  consisting  of  60  LI  nodes  and  1000  L2  nodes.  This  is 
a  reasonable  assumption  in  a  dense  static  network  or  a  highly  dynamic  network  when  nodes  move  around  but  in  a 
bounded  region  (e.g  a  group  of  rescuers  in  an  emergency  situation  or  troops  in  a  battlefield). 

We  assume  that  LI  nodes  have  twice  the  transmission  range  Ra  of  L2  nodes  Rb ■  Tlo  guarantee  network  con¬ 
nectivity  and  thus  allow  a  large  portion  of  the  nodes  to  participate  in  the  secure  group  communication,  we  use 
the  system  parameter  relationships  derived  by  [8]  based  on  the  phase  transition  theory  of  Erdos  and  Renyi  for 


connected  random  graphs.  For  network  connectivity,  we  require  that  the  neighborhood  of  each  L2  node  include  40 
other  nodes.  This  is  a  reasonable  assumption  used  by  [8,  5, 14].  We  also  need  to  guarantee  that  the  Ll-network  (the 
network  of  LI  nodes)  is  connected.  Using  the  area  needed  for  1000  L2  nodes  where  the  neighborhood  of  each  L2 
node  has  on  average  40  nodes,  we  use  60  LI  nodes  where  each  LI  node  is  neighbor  to  10-15  LI  nodes.®  ® 

At  the  beginning  of  the  simulation,  each  node  randomly  selects  a  key  ring  of  size  =  300  for  LI  nodes  and 
ks  =  150  for  L2  nodes.  Nodes  can  establish  an  Z-secure  connection  by  sharing  at  least  I  keys. 


6.2  LSBS  Simulation 

In  our  simulation  of  LSBS  protocol  we  exclude  the  LI  nodes  such  that  our  network  consisted  of  only  1000  L2  nodes. 
Initiator  groups  (r,  Z)-IG  are  created  if  r  neighboring  nodes  share  I  keys. 

By  implementing  the  protocol,  we  identified  various  practical  concerns  of  IG  formation  which  are  not  dealt  with 
in  [13].  In  the  first  place,  all  nodes  in  the  neighborhood  of  a  given  node  Ui,  may  not  be  in  transmission  range. 
For  example,  although  Ui  might  share  the  same  I  keys  with  neighbors  Uj  and  Uk,  it  might  not  be  able  to  create 
a  (3,Z)-IG  with  them  because  Uj  and  Uk  are  not  neighbors.  Therefore  to  make  an  IG,  nodes  must  ensure  that  all 
potential  nodes  that  share  I  keys  are  also  neighbors.  We  implemented  a  simplified  version  of  this  condition  in  our 
simulation  by  only  considering  nodes  within  i?_B/2  radius,  where  Rb  is  the  transmission  range  of  a  L2  node. 

It  is  also  possible  that  a  node  belongs  to  more  than  one  IG,  in  which  case  it  must  choose  to  defect  to  only  one 
of  the  groups.  We  use  the  following  defection  rule  in  the  simulation:  if  a  node  belongs  to  more  than  one  IG,  it 
defects  to  the  IG  with  the  larger  number  of  members.  Making  the  IG  as  large  as  possible  has  three  benefits:  (i)  less 
iterations  are  needed  in  LSBS  to  propagate  the  group  key  to  the  rest  of  the  group;  (ii)  more  nodes  contribute  to 
the  group  key  and  therefore  the  formation  of  the  key  is  more  democratic;  (iii)  the  disbanded  IG  might  no  longer 
contain  enough  members  to  create  an  IG  and  therefore  we  reduce  the  number  of  times  the  network  is  flooded. 

Our  result  in  Figure  5(a)  show  that  as  the  number  of  shared  keys  needed  to  establish  a  secure  channel  decreases, 
a  larger  number  of  initiator  groups  get  created.  The  values  plotted  are  the  average  numbers  obtained  when  the 
simulation  is  run  10  times  using  different  seeds  for  the  random  function.  For  example,  although  for  r  =  4,Z  =  7  on 
average  only  two  IGs  are  formed,  there  were  rounds  where  no  IG  was  formed.  Thus  to  form  an  IG  with  very  high 
probability,  we  must  choose  /  =  6  or  /  =  5  in  which  case  the  number  of  IGs  formed  suddenly  jumps  to  approximately 
30  and  100.  This  means  that  to  construct  a  group  key,  the  network  needs  to  be  flooded  30  or  100  times,  which  is 
very  inefficient. 


Number  of  Initiator  Groups  Formed  Using  Different  Number  of  Shared  Keys 
m=5,  k=150 


#  of  Initiator  Groups  Formed  for  Different  Key  Block  Sizes 
l=8.  r=4.  k=150 


(b) 


Fig.  5.  Number  of  IGs  created  using  (a)  different  number  of  shared  keys  I,  (b)  different  key  block  sizes  m. 


Figure  5(b)  shows  the  relationship  between  the  number  of  IGs  formed  and  the  key  block  size  m.  Again  we 
noticed  the  jump  from  very  small  number  of  IGs  (e.g.  m  =  5)  to  almost  50  IGs  when  m  =  4.  However  we  know 

®  Note  that  we  can  choose  a  smaller  density  of  LI  nodes  than  L2  nodes  because  the  LI  nodes  have  a  higher  probability  of 
establishing  a  secure  connection. 

®  We  emphasize  that  the  node  density  we  have  assumed  is  an  overestimation  of  the  required  density  in  order  to  not  result 
in  a  disconnected  network.  However  by  choosing  a  more  refined  network  connectivity  model  or  incorporating  possible 
deployment  knowledge,  we  can  decrease  network  density  while  still  maintaining  connectivity.  This  would  result  in  lower 
communication  costs  still. 


that  the  larger  the  number  of  keys  shared  between  two  neighbors,  the  less  resilient  the  protocol  is  against  neighbor- 
compromise  (see  Equation  8).  It  is  thus  important  to  select  network  parameters  such  that  allow  us  to  minimize  the 
number  of  IGs  that  get  created  but  to  also  achieve  a  high  degree  of  security  against  both  an  active  and  a  passive 
adversary. 

For  example,  if  we  select  network  parameters,  k  =  150,  m  =  4,r  =  4,  /  =  8  we  obtain  a  good  balance  between 
the  number  of  initiator  groups  that  are  formed  (around  35)  as  well  as  the  resiliency  of  the  network  against  an  active 
adversary.  This  means  that  to  compute  the  final  group  key,  the  network  is  flooded  with  35  different  partial  group 
keys.  Because  flooding  occurs  through  the  secure  links  established  between  nodes,  each  node  must  perform  all  the 
computation  that  is  required  to  decrypt  the  received  partial  keys  (received  through  secure  links)  and  encrypt  then 
to  be  sent  to  other  neighbors  (secure  send).  Given  that  a  node  has  on  average  40  neighbors,  it  would  therefore 
encrypt  and  decrypt  approximately  20  times  each. 


6.3  LKD  Performance  and  Discussion 

By  introducing  hierarchy  in  the  LSBS  scheme,  we  are  able  to  better  control  not  only  the  formation  of  the  local  and 
cluster  groups  but  also  the  distribution  of  the  group  keys.  Figures  6(a)  and  (b)  show  the  probabilities  of  connection 
for  different  local  group  sizes  as  well  how  much  of  the  neighborhood  can  establish  a  pairwise  Z-secure  connection  with 
an  LI  node.  Our  results  show  that  with  very  high  probability,  we  can  achieve  a  connected  network.  In  particular, 
an  L2  node  can  establish  a  secure  connection  with  an  LI  node  with  very  high  probability.  Figure  6(c)  graphs  the 
distribution  of  the  size  of  the  (Z,r)-groups  centering  around  each  LI  node.  Each  group  on  average  is  made  up  of 
one  LI  node  and  3  L2  nodes.  We  emphasize  that  the  size  of  a  group  has  no  influence  on  the  security  of  the  group 
key,  rather  it  ensures  a  more  democratic  process  since  more  nodes  contribute  to  the  calculation  of  the  group  key. 


Fig.  6.  (a)  Prob.  of  establishing  an  Z-secure  connection  between  r  nodes  (b)  Ratio  of  neighboring  L2  nodes  with  which  an 
LI  node  can  establish  an  Z-secure  channel,  (c)  Number  of  groups  formed  for  different  values  of  1. 


Gomparing  the  performance  of  LKD  and  LSBS  protocols,  the  necessary  resources  of  a  sensing  node  is  reduced 
in  LKD  as: 

Reduced  communication  load.  The  L2-network  is  no  longer  flooded  with  all  the  partial  group  keys  due  to  the 
clustering  of  the  nodes  and  the  management  of  the  local  (Z,  r)  groups  by  the  LI  nodes.  In  particular,  each  L2  node, 
with  a  high  probability,  needs  to  only  connect  to  the  neighboring  LI  node.  Furthermore  if  it  falls  in  an  (l,r)  group, 
it  needs  to  exchange  0{r)  number  of  messages  to  generate  a  partial  cluster  and  group  key.  Therefore  the  number 
of  messages  that  a  sensing  node  receives  and  transmits  is  no  longer  a  function  of  the  neighborhood  size. 

Reduced  computation  load.  LKD  avoids  the  need  for  each  sensing  node  to  perform  multiple  decryption  and 
re-encryptions  when  transporting  the  group  key.  In  addition  the  management  and  decision  making  required  for  IG 
formation  has  been  avoided  and  made  a  responsibility  of  the  powerful  LI  nodes.  In  particular  in  LKD  with  a  high 
probability,  each  sensing  node  performs  the  SSKD  protocol  once  with  the  neighboring  LI  node.  In  contrast  in  LSBS 
nodes  executed  the  SSKD  protocol  with  every  node  in  their  neighborhood  (e.g.  in  our  simulation,  this  would  be  40 
times). 

Reduced  storage  space.  In  LKD  sensing  nodes  do  not  store  the  incidence  matrix  which  is  of  the  order  0{k  ■  d) 
where  k  is  the  key  ring  size  and  d  is  the  size  of  the  neighborhood.  Nodes  also  do  not  need  to  keep  an  account  of 
the  different  local  groups  or  IGs  they  belong  to. 


Finally  we  note  that  in  LKD,  the  load  on  each  LI  node  is  at  most  equal  to  the  load  on  every  node  in  LSBS. 
Also,  the  number  of  times  LKD  floods  the  network  of  LI  nodes  is  in  the  same  order  as  the  number  of  floods  of  the 
whole  network  for  LSBS. 

7  Concluding  Remarks 

Traditional  solutions  for  key  pre-distribution  assume  the  existence  of  a  single  TTP.  This  assumption  however  can 
be  very  strong  in  practice,  especially  when  nodes  belong  to  different  domain  and  they  come  together  in  an  ad  hoc 
manner,  as  in  disaster  response  scenarios.  In  this  work  we  showed  the  shortcomings  of  previous  works  [3, 13]  in  this 
area  using  both  theoretical  analysis  as  well  as  simulation.  We  propose  a  new  scheme  that  incorporates  heterogeneous 
nodes  to  ameliorate  the  previous  shortcomings,  whereby  the  load  on  resource  limited  nodes  is  reduced  dramatically 
while  in  fact  improving  their  security  against  node-compromising  adversaries.  In  the  course  of  our  security  analysis 
we  pointed  out  a  lack  of  security  model  for  self-organized  networks  and  thus  presented  a  security  model  of  key 
distribution  protocols  in  a  self-organized  ad  hoc  network. 

Our  theoretical  and  simulation  analysis  pointed  to  a  number  of  future  research  directions.  The  adversary  model 
can  be  analyzed  further,  providing  simulation  results  to  compare  with  the  theoretical  results  presented  in  this  paper. 
We  need  to  also  come  up  with  a  good  communication  model  to  ensure  that  we  do  not  end  up  with  a  disconnected 
graph.  Finally,  it  is  interesting  to  see  how  mobility  of  nodes  can  help  ameliorate  the  lack  of  connectivity  in  the 
network. 
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A  Proof  of  Proposition  1 

Proof.  Let  kA  =  Sfeg,  where  t  =  l,s  =  ks.  Therefore,  each  LI  node  (L2  node)  picks  two  keys  (one  key)  from  each  key 

block.  For  clarity  purposes,  we  will  first  concentrate  on  the  probability  of  sharing  a  key  in  a  single  block.  Later,  we  use  this 

probability  to  calculate  the  probability  of  sharing  I  keys  in  multiple  blocks  and  thus  prove  Proposition  1. 


Consider  two  nodes,  Ui  and  Uj,  that  independently  pick  i  and  j  keys  from  a  key  block  of  size  m.  Let  1)  denote  the 

probability  that  m  and  Uj  share  I  keys  in  this  block,  where  I  <  min{i,j). 

li  i  =  j  =  1,  then  there  are  m  possible  choices  for  the  key  and  different  ways  for  the  two  nodes  to  select  their  keys. 
So,  pi,i(2,l)  = 

For  i  =  2,j  =  1,  assume  the  keys  selected  are  of  the  form  (11,^2)  and  ji  for  nodes  Ui  and  uj  respectively.  (*i,*2)  can  be 
chosen  in  possible  ways  and  ji  can  take  on  m  possible  values.  The  two  nodes  have  a  common  key  if  ji  =  i\  or  ji  =  i2. 
Now  ji  =  ii  for  m  possible  values  and  for  each  ii,  12  takes  on  (m  —  1)  possible  values.  Therefore,  the  probability  of  having 
a  common  key  in  each  block  is: 


J32,i(2,1)  = 


m(m  —  1)  2 

m(™)  m 


(10) 


For  i  =  2,  j  =  2,  assume  the  keys  selected  are  of  the  form  (ii,  12)  and  (71,^2)  for  nodes  Ui  and  Uj  respectively.  Ui  and  Uj 
will  have: 


—  0  shared  keys:  For  the  pair  (11,12),  there  are  (™2  possible  pairs  (ji,  J2)  with  no  shared  keys;  that  is,  pairs  that  exclude 


(11,12).  Therefore,  ^2,2(2,  0)  = 


_  rv!) 


(” 


—  1  shared  key:  A  given  pair  of  the  form  (*1,12)  has  ii  common  with  m  —  1  pairs,  and  common  with  another  m  —  2 
pairs.  There  are  (^)  distinct  pairs.  Therefore,  ^2,2(2, 1)  = 

1 2  J 

—  2  shared  keys:  For  a  pair  (^1,12)  there  is  exactly  one  pair  {31,32)  with  two  collisions.  There  are  (™)  distinct  pairs. 
Therefore,  p2,2(2,2)  = 

1 2  j 


We  generalize  the  above  equations  for  r  nodes.  Let  Pxi,...,Xr{i',l)  denote  the  probability  that  r  nodes,  where  each  node 
picks  Xi,  ...,Xr  keys  respectively,  all  share  I  keys.  We  limit  the  possibilities  to  groups  where  all  nodes  only  pick  one  key 
per  block  or  only  one  node  picks  two  keys  per  block  and  the  rest  pick  one  key.  This  is  because  each  LI  node  creates  groups 
consisting  of  only  L2  nodes. 

If  Xa  ~  1  where  a  €  [1,  r],  then  there  are  m  possible  choices  for  the  key  and  m’’  different  ways  for  the  two  nodes  to  select 
their  keys.  So,  pi,...,i(r,  1)  = 

For  Xi  —  2  and  Xa  =  1  for  a  £  [2,  r],  let  a;“  denote  key  i  of  node  Ua-  Then  (*1,  a:^)  can  be  chosen  in  possible  ways  and 
Xi  for  a  £  [2,  r],  can  take  on  m'^  possible  values.  The  r  nodes  have  a  common  key  if  xi  =  ...  =  Xi  or  a;2  =  *1  =  ■■■  =  Xi.  Now 
a;)  =  ...  =  Xi  for  m  possible  values  and  for  each  such  value,  a:2  takes  on  (m  —  1)  possible  values.  Therefore,  the  probability 
of  having  a  common  key  in  each  block  is: 


P2,i,...,i(r,  1) 


m(m  —  1) 


2 

m3'~^ 


(11) 


Given  the  above  probabilities  of  sharing  I  keys  in  one  block  for  2  nodes  and  r  nodes,  we  now  want  to  find  the  probability 
of  sharing  I  keys  in  k  blocks.  Let  PB{r,l)  be  the  probability  that  r  L2  nodes  share  I  keys  and  PA,B{r,l)  be  the  probability 
that  (r  —  1)  L2  nodes  and  one  LI  node  share  I  keys.  Because  the  probability  of  sharing  a  key  in  each  block  is  independent, 
we  can  use  binomial  coefficients  to  calculate  below  probabilities: 


PB{r,l) 


-  t) 


k-l 


(12) 


Pa, sir,  1) 


A*(l- A)''-' 


(13) 


where  r  =  pi,.,.,i(r,  1)  and  A  =  P2,i,...,i{r,  1). 

Finally,  we  look  at  the  special  case  of  the  probability  of  two  LI  nodes  sharing  I  keys,  Pa,a{'2,1).  Each  LI  node  picks  2 
keys  from  each  block.  Now  let  a  and  be  non-negative  integers  satisfying  2a  +  l3  =  1.  To  find  Pa,a{2,  1)  we  note  that  two 
blocks  can  contribute  0,  1  or  2  shared  keys. 

This  means  that  we  have: 


Pa,a{2,  1) 


2a+l3=l 


Pa,a{2,  2)“  •  pa,a{2,  T)^  Pa,a{2,  0)'=-“-'^ 


(14) 


B  Example  of  Proposition  2 


In  this  section,  we  give  an  example  of  how  Proposition  3  can  be  used  to  calculate  the  probability  of  r  nodes  sharing  I  keys. 
Example  1:  The  probability  of  an  initiating  group  of  size  r  sharing  exactly  one  key  is: 


PA,B(r,  f)  =  Cl  =  1)'’  ^(1 -ps(r,  1))  •  (1 -Ps(r,  1))'“  "  +  (1  -  ps(r,  1))"  •  ^  ®jps(r,  1)'“  "  ^(l-ps(r,  1)) 

Example  2:  The  probability  of  an  LI  node  and  a  L2  node  sharing  exactly  one  key.  We  note  that  ps(2, 1)  =  pa,s(2,  1)  =  ;^ 
and  Ps(2, 1)  =  p_b,s(2,  1)  =  ^  as  derived  above.  Therefore,  we  obtain: 


Pa,b(2,  1)  =  Cl  =  (^Jjp5(2,  -ps(2, 1))  •  (1  -Ps(2, 1))'“-“  +  (1  -ps(2,  !))*  •  ^  "  )ps(2,  -  Ps(2, 1)) 

m  m  m  m  mm 


